Research On Cooperative Model Of Intrusion Detection And Honeypot

With the rapid development of computer network, the traditional passive defensive technology such as intrusion detection cannot meet the increasing requirements about complex network security. The integration and collaboration between intrusion detection and other technologies are urgently needed. For the unperfect of intrusion detection system, the problem such as how to reduce the false positive rate and false negative rate of the intrusion detection needs to be solved. On the other hand, honeypot as a new defense initiative technology has a lot of advantages, such as collecting a small amount of data, high value and capable of detecting unknown attacks and so on. Therefore, research on collaboration between honeypot and intrusion detection systems is a problem worthy of study.According to the shortcomings in the current intrusion detection, the principles in Honeypot, decision tree and intrusion detection are analyzed in this thesis. Furthermore, some problems are investigated about the essential technologies of Honeypot, decision tree and intrusion detection. The primary work and achievements in this thesis are described as follows:Firstly, for the advantages of honeypot, decision tree algorithm and the current intrusion detection problem, a model called IDMDT (Intrusion Detection Model based on Decision Tree and Honeypot) is proposed in this thesis. In this model, Honeywall is introduced to ensure the security of the internal network and has a good confusion when the intruder is intruding. Honeypot system is consisted of both real and virtual honeypot. The combination has the advantage of learning from other's strongpoint to offset one's weaknesses, and avoiding the failure of single point. In the aspect of storage in data security, the captured data are stored in a remote log server after the transmitting through the network. In the aspect of extraction rules, C4.5 algorithm which is chosen with the advantage of speeding up the capture of data conversion rules for the invasion and updating the rule base.Secondly, given a lot of irrelevant and redundant attributes in the presence of continuous attributes and the difficulty about the analysis of continuous attributes, an algorithm is proposed. Based on the rough set theory, the algorithm focuses on the selection of continuous attributes. It reduces the number of continuous attributes to be analyzed and facilitates the implementation of the mining algorithm.Furthermore, an improved algorithm called K-C4.5 is proposed for C4.5 algorithm that has a low accuracy rate when carring on intrusion determination about continual attributes.In order to testify the improved performance of the algorithm, some research and analysis has been done. Experimental results show that the proposed algorithm has improved performance when there are more continuous attributes or large amount of data.Thirdly, common tools, such as Honeyd, Snort and Sebek, etc, are used to build up experiments in the existing environment in this thesis. Based on the model of this study, some simulations are carried out. The simulation results showthat the design of intrusion detection and honeypot cooperative system comparing with current intrusion detection systems has some advantages in reducing the rates of false alarm and false negative.Finally, the summary in this thesis is concluded. Although the model designed in this thesis has some enhancement when comparing to previous model, there are many issues which are still left unresolved, such as how to increase the sweetness of honeypot, etc. So, more research and analysis is needed to be further studied.